An analysis of information technology risks and governance disclosure: evidence from the top 40 JSE listed companies.

Abstract

The study analysed the extent to which information technology risks and governance is disclosed by top 40 JSE-listed companies in their 2021 integrated reports as part of the risk governance practices. It also conducted a review to identify similarities and differences between King IV and other international standards such as ISO 27002, 38500, COBIT 5, SOX, and ISA 315 on IT governance and risk disclosure requirements. The results revealed that 32 out of the top 40 JSE-listed companies (80%) fully complied with King IV and other international standards on the disclosure of their IT governance and risk management in the integrated and corporate governance reports. The results further revealed that 8 out of the top 40 JSE-listed companies (20%) partially complied with King IV on disclosure of IT governance and risk management. Furthermore, the results indicated that King IV and other international standards were similar on 19 out 24 (79%) of the IT governance and risk management disclosure requirements and differed on 5 out of 24 (21%) requirements. The study confirmed the extent of IT and risk governance disclosure of the selected companies and determined areas of similarities and differences. The study adds to the debate on King IV disclosure requirements with regards to IT governance and risk management by public companies in corporate reporting and further adds to the debate on stakeholder theory.